Added config reload

k8s/apps/amnezia/configmap-scripts.yaml

@@ -126,7 +126,7 @@ data:
     set -euo pipefail
 
     SERVER_CONFIG="/etc/amnezia/server/awg0.conf"
-    CLIENTS_DIR="/etc/amnezia/clients"
+    CLIENTS_DIR="${AMNEZIAWG_CLIENTS_DIR:-/run/amnezia/clients}"
     RUNTIME_CONFIG="/run/amnezia/awg0.conf"
     SYNC_CONFIG="/run/amnezia/awg0.sync.conf"
     STATUS_FILE="/run/amnezia/reload-status"
@@ -229,6 +229,62 @@ data:
     write_reload_status applied "${initial_hash}"
     watch_client_config "${initial_hash}"
 
+  client-secret-sync.sh: |
+    #!/usr/bin/env bash
+    set -euo pipefail
+
+    CLIENT_SECRET="${AMNEZIAWG_CLIENT_SECRET:-amneziawg-clients}"
+    CLIENT_SECRET_KEY="${AMNEZIAWG_CLIENT_SECRET_KEY:-peers.conf}"
+    CLIENTS_DIR="${AMNEZIAWG_CLIENTS_DIR:-/run/amnezia/clients}"
+    PEERS_FILE="${CLIENTS_DIR}/peers.conf"
+    SYNC_INTERVAL="${AMNEZIAWG_CLIENT_SECRET_SYNC_INTERVAL:-5}"
+    NAMESPACE="${POD_NAMESPACE:-$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)}"
+
+    write_empty_once() {
+      mkdir -p "${CLIENTS_DIR}"
+      if [ ! -f "${PEERS_FILE}" ]; then
+        : > "${PEERS_FILE}"
+        chmod 0600 "${PEERS_FILE}"
+      fi
+    }
+
+    sync_once() {
+      mkdir -p "${CLIENTS_DIR}"
+      local tmp_file="${PEERS_FILE}.tmp"
+      local encoded=""
+
+      if ! encoded="$(kubectl get secret "${CLIENT_SECRET}" -n "${NAMESPACE}" -o "go-template={{ index .data \"${CLIENT_SECRET_KEY}\" }}" 2>/dev/null)"; then
+        echo "WARN: failed to read Secret ${NAMESPACE}/${CLIENT_SECRET}; keeping current peers" >&2
+        write_empty_once
+        return 0
+      fi
+
+      if [ -n "${encoded}" ]; then
+        printf '%s' "${encoded}" | base64 -d > "${tmp_file}"
+      else
+        : > "${tmp_file}"
+      fi
+      chmod 0600 "${tmp_file}"
+
+      if [ -f "${PEERS_FILE}" ] && cmp -s "${tmp_file}" "${PEERS_FILE}"; then
+        rm -f "${tmp_file}"
+        return 0
+      fi
+
+      mv "${tmp_file}" "${PEERS_FILE}"
+      echo "Synced AmneziaWG client peers from Secret ${NAMESPACE}/${CLIENT_SECRET}:${CLIENT_SECRET_KEY}"
+    }
+
+    if [ "${1:-}" = "once" ]; then
+      sync_once
+      exit 0
+    fi
+
+    while true; do
+      sync_once || true
+      sleep "${SYNC_INTERVAL}"
+    done
+
   status-patch.sh: |
     #!/usr/bin/env bash
     set -euo pipefail